Information Security News

10,000 Fake GitHub Repositories Spread Trojan Malware

by · Published · Updated

Fake GitHub repositories cloning real projects and distributing Trojan malware through README ZIP archive links

GitHub has filled up with fake repositories. They disguise themselves as ordinary developer projects. In reality, they push Trojans through links to ZIP archives.

A developer using the alias Orchid uncovered the large campaign. He found roughly 10,000 repositories that looked like standalone projects from many different authors. Yet they all worked the same way. The attackers copied other people’s new repositories, kept the commit history and the contributor list, and then edited the README to add a link to a malicious archive.

How Orchid Spotted the Scheme

Orchid noticed the problem after someone cloned his own project. In Google, his original repository showed up correctly. However, in Bing the same query returned a stranger’s repository with an identical name and description. Inside sat a copy of the project, commit history included. The README, though, now carried a link to a ZIP archive.

A Consistent Pattern, Not Simple Forks

According to the developer, these fake repositories were not ordinary forks. They had different names, different owners, and different contributors. The shared detail was the repeated README edits. In some cases, the attackers deleted the old commit and added a new one hours later, always titled “Update README.md.” Reports of this scheme had surfaced online before, and developers had complained about spoofed projects on Reddit and Hacker News. Orchid flagged about 40,000 suspicious repositories, and roughly 10,000 matched the full template.

Inside the Malicious ZIP

The scheme centered on a ZIP archive. Inside, victims usually found a Windows batch file, an executable such as loader.exe or luajit.exe, a random .txt or .cso file, and the library lua51.dll. A check on VirusTotal might miss the malicious code by link alone. Even so, the downloaded archive itself already registered as a Trojan.

The SmartLoader and StealC Chain

The firm HexaStrike described a similar campaign earlier. Its specialists found 109 fake repositories and tied the activity to the SmartLoader and StealC chain. After the batch file runs, it starts a LuaJIT interpreter with an obfuscated script. The malware then fetches its command server address through a smart contract on the Polygon network. Next, it downloads the following stage of the attack.

In the end, StealC could land on the infected device. This stealer grabs a wide range of data. It can take crypto wallets, passwords, banking details, browser files, and email accounts. Moreover, it targets data from Steam, Discord, Telegram, and other services.

Why the Fakes Look So Convincing

These repositories felt trustworthy because they kept the original source code, commit history, and contributors. According to Orchid, the attackers cloned new repositories on purpose. That way, they reached search results for rare queries faster. In addition, such projects could attract more than human readers. AI agents that hunt for dependencies or code samples might also find them, and they could follow the malicious link automatically.

GitHub’s Slow Response

Orchid reported two fake copies of his projects to GitHub. By his account, the takedown took almost two months. After he published his script and a list of malicious repositories, GitHub began removing the flagged projects. However, Orchid says the platform deleted only the repositories named directly in his list. When he ran the script again, fresh matches appeared, and those were not removed quickly.

The Campaign May Run Deeper

Some fake repositories survived for months. A few may have stayed live for over a year. Orchid believes the 10,000 projects he found could be just part of the campaign. His search hit the GitHub API limit of 5,000 requests per hour. The platform faces no such cap, so GitHub could scan every repository, find the archives and executables, and check them for malicious code.

Who Is Behind It?

The operator remains unknown for now. HexaStrike suggested a single actor or a small, centrally managed group. Several clues point that way: the identical README structure, the synchronized updates, the repeated delivery tricks, and the shared infrastructure.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply